I'm a soon 29 year old guy with a master in information technology working full time as a. NET developer. I've had an interest in security, especially pentesting since high school, but back then I never really considered it as a career path option. Now lately the last year I've begun to read more and more security articles, tutorials etc, and I've started coding in Python trying to make small client server back doors, my own http server and stuff like that to get an in depth knowledge of networking and protocols etc. I'm also reading Counter Hack Relosded, and this world of security is so much more exciting compared to my daily job.

Hence I dream of a career within pentesting, but do you guys think it is to late for me to change direction from being a 'commercial'. NET developer without any real knowledge within security to becoming a professional pentester? If not, how would you approach this endeavour, and what path do you think I should take? The reason why I'm so in doubt is because this field is so large and requires such a broad knowledge, and I can code, but I really don't know where to start.

I don't have any really useful knowledge within security, so I'm a complete newbie, I only have like 3 years of programming experience, but I consider my self a fast learner.

What do you guys think, am I to late with this, and is my age against me, or how and where could I start with my current knowledge?

Why don't you leverage what you know instead of trying to start from scratch? Wep app pen testing is hot right now, and your .NET knowledge clearly puts you in a good position for understanding how ASP.NET applications work behind the scenes (I assume you're doing thick-client development since you didn't mention ASP).

And even if you want to start from scratch, 29 is not too late. However, you're going to have to accept that it's going to take years of work to become competent, and you may have to take a drop in pay and seniority to migrate into a relatively different field.

If I were you, I'd take use my existing knowledge and skills and take on some security responsibilities, or obtain a position that has such responsibilities, and then keep working towards a full-time security position step-by-step.

I changed careers from network admin to pentesting at 30. I managed to do so without taking a pay cut. It's possible, you just have to be strategic about it. Like ajohnson said, the next logical step in my eyes is for you to become a web app ninja. You'll have to convince a potential employer that you actually know what you're talking about. You might want to start blogging, or publishing useful code to the community.....whatever it is, just start showing that dream company that you're a ninja. Where are you located?

Thank you all for your answers. It's comforting to get some support from people with experience already on the same path. I think I'll read up on web app pentesting and try to use some of my experience with WCF from the. NET world. Better start somewhere than nowhere I guess

Oh, in that case, you may have to move as well. I'm not trying to discourage you, but it doesn't sound like there's a lot of opportunities over there. MaXe, despite his impressive skills, actually relocated to Australia for a full-time pen testing gig: https://forum.intern0t.org/blogs/maxe/1 ... nning.html

Thank you. Moving out of the country is not an option for me in the near future, but I do live in Copenhagen, so I think that might be the best place to be located, if you are unable to move. Thanks a lot for the link to CSIS, that definitely seems to be a dream place for me to get hired.

I will stay on this kind forum, and hopefully learn a lot of stuff, and maybe with time give something back to this community